Fundamental Quantitative Security In Quantum Key Generation 
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We analyze the fundamental security significance of the quantitative criteria on the final generated 
key K in quantum key generation including the quantum criterion d, the attacker's mutual informa- 
tion on K , and the statistical distance between her distribution on K and the uniform distribution. 
For operational significance a criterion has to produce guarantee on the attacker's probability of 
correctly estimating some portions of K from her measurement, in particular her maximum proba- 
bility of identifying the whole K. We distinguish between the raw security of K when the attacker 
just gets at K before it is used in a cryptographic context and its composition security when the 
attacker may gain further information during its actual use to help getting at K. We compare both 
of these securities of K to those obtainable from conventional key expansion with a symmetric key 
cipher. It is pointed out that a common belief in the superior security of a quantum generated K is 
based on an incorrect interpretation of d which cannot be true, and the security significance of d is 
uncertain. Generally, the QKD key K has no composition security guarantee and its raw security 
guarantee from concrete protocols is worse than that of conventional ciphers. Furthermore, for both 
raw and composition security there is an exponential catch up problem that would make it difficult 
to quantitatively improve the security of K in a realistic protocol. Some possible ways to deal with 
the situation are suggested. 

PACS numbers: 03.67.Dd 



I. Introduction And Summary 



Physical cryptography, the use of physical effects in 
addition to purely mathematical artifice for fast reliable 
cryptographic functions, has received considerable recent 
attention. For key generation, variously called key distri- 
bution, key expansion, key exchange or key agreement, 
the use of classical noise was first proposed [l]-[3] while 
the use of information-disturbance tradeoff in BB84 type 
protocols are the well known quantum key distribution 
(QKD) schemes [4]- [5]. Other quantum schemes that 
dispense with intrusion level estimation have been de- 
veloped on the basis of incompatible quantum measure- 
ments in the KCQ (keyed communication in quantum 
noise) approach [6] -[9]. The fundamental merit of these 
physical cryptographic schemes is that the so-called in- 
formation theoretic (IT) security is possible, in contrast 
to the expansion of a master key to session keys or key 
agreement from public-key protocols with security based 
on computational complexity. It is the purpose of this pa- 
per to demonstrate in detail that, contrary to widespread 
perception and belief, (i) it is not clear how strong IT se- 
curity can even be obtained in principle from QKD; (ii) 
the security guarantee that can be experimentally ob- 
tained thus far is quite inadequate. Some assessment and 
suggestion will be made on the current situation. Note 
that we are not at all concerned with appropriate sys- 
tem modeling or device imperfection issues, but rather 
just with the fundamental quantitatively achievable se- 
curity in a concrete protocol with realistic parameters, 
assuming perfect devices and applicable system model. 



There are two main reasons for this present unsatis- 
factory state of affairs: The problem of quantitative se- 
curity criteria and the security of the final generated key 
K during actual use in a cryptography scheme — the 
so-called composability problem. We will explain them 
by comparing a perfect fresh key K p and a session key 
K' generated from a pseudorandom number generator 
(PRNG) to the key K generated from BB84 type proto- 
cols [10]. The comparison between K' and K is meaning- 
ful because a shared secret key between the users is also 
needed in KCQ, and in QKD for message authentication, 
during the key generation process. The keys obtainable 
from KCQ or classical noise-based protocols would share 
all or some of the problems associated with K. 

A perfect key K p has a uniform probability distribu- 
tion p(K p ) = U to the attacker (Eve). For K p consist- 
ing of n bits, there are 2" possible values for K p each 
with a probability Ui = 2~ n . Furthermore, any piece 
of additional information Eve may obtain in the actual 
use of K p in any cryptographic scheme should not give 
Eve more information about K p . For example, when K p 
is used in one-time pad encryption of some n data bits 
and m < n bits are revealed in a known-plaintext attack 
(KPA), Eve still would have a uniform distribution with 
respect to the remaining n — m bits in K p . We would call 
the pre-use quantitative security of K its "raw security" 
and the in- use security its 11 composition security". Com- 
position security guarantee is needed even when the raw 
security is adequate. In this paper we would deal with 
composition security mainly on the problem of the extent 
any bit of K remains secret when some other part of K 
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is known to Eve. For such problem whether K is perfect 
for a classical protocol reduces to the question whether 
p(K) = U, where p(K) is Eve's probability distribution 
on K obtained through her attack with possible further 
information gained during the actual use of K. The situ- 
ation is far more complicated in the quantum case due to 
the possibility of quantum memory. It is possible to ob- 
tain a perfect key in practice when a secure method (but 
perhaps clumsy such as hand delivery) is used to deliver 
a randomly picked key string to be shared between two 
users Alice and Bob. If one generates the key by a public- 
key technique such as RSA, its security is based entirely 
on (presumed) computational complexity, i.e., it is (pre- 
sumably) practically impossible for Eve to determine K 
due to the lack of an efficient algorithm even though it 
is possible in principle. In contrast, K p has IT security 
that is not changed by Eve's computational power. 

One often hears that the generated key K in QKD 
has IT security, by itself a rather misleading statement 
because the K obtained in physical cryptography is never 
perfect just in the sense of p(K) — U. A mistaken claim 
is maintained in the literature[5],[ll]-[12] that p(K) = 
U with a high probability if one uses the criterion d to 
be discussed later. It is one of the main purposes of 
this paper to dispel this misconception. In contrast to a 
QKD generated key K, a fresh key when available can 
typically be taken to be perfect in standard cryptography 
as indicated above. A more precise security claim on 
K is that it is sufficiently close to perfect. But then 
the crucial issue of quantitative security criteria arises 
for measuring the closeness, and in particular why any 
specific achievable quantitative value is adequately secure 
in a given application. This problem does not arise in a 
standard fresh key for which p(K) = U. 

There is no fundamental guarantee of IT security from 
"randomness test" given Eve's knowledge of the key gen- 
eration process. The proper security criterion on K is the 
set of probabilities p(K) of Eve's correct estimates on all 
the possible subsets K of K which she could derive from 
her possible p(K). Common single- number criterion such 
as her mutual information on K has no empirical opera- 
tional security significance in itself and merely expresses a 
constraint on Eve's possible p{K). For operational guar- 
antee one would need to translate such a criterion into 
guarantees on p{K) which would be carried out in this 
paper. 

To avoid possible confusion one may distinguish the 
following three different logical situations: 

(a) A proof of security has been obtained that works 
against all possible attacks with high probability. 

(b) A specific attack has been found that breaches se- 
curity with high probability. 

(c) Security level unknown for various possible attacks. 

In this paper we are not talking about case (b). Instead, 
it is pointed out that case (a) has not been established 



and case (c) is the current situation contrary to the claims 
in the QKD literature. 

For comparison to the case of K, we first describe the 
raw and composition security for the key K' obtained 
by PRNG in standard (conventional) cryptography. In 
typical "key expansion" scheme a master key K m is fed 
through a PRNG to generate a key K' with many more 
bits that K m , \K m \ < \K'\. Different segments of K ' are 
then used as different session keys in various uses in order 
to reduce the total number of perfect key bits otherwise 
needed. On the raw security of K', the Shannon measure 
of information or Eve's entropy on K', He (K'), is often 
employed. The well known Shannon limit [3],[9],[13]-[14] 
says 

H E (K')^\K m \ (1) 

If K' is any subset (subsequence) of K', it is possible that 
He(K') = \K'\ similar to the case of a uniform K' even 
under (1) when \K'\ < \K m \, but no other K' can have a 
uniform distribution since that would violate (1). Thus, 
with He{K') taken as the measure of raw security, there 
is IT security for such session keys in standard cryptog- 
raphy also. It is just that their quantitative level may be 
far from perfect. 

There are other important measures of quantitative IT 
security: Eve's maximum probability p\{K) of determin- 
ing the whole key K, her maximum probabilities p\ (K) of 
determining various subsets K or K, and these are the 
ones with operational significance. In addition to He, 
there is another common single-number measure used in 
quantifying the randomness of a bit sequence, namely the 
statistical distance 5(p(K),U) = Se(K) between Eve's 
probability distribution of K and U. Generally, from dif- 
ferent attacks on a physical cryptosystem and from dif- 
ferent measured ciphertexts, Eve would obtain different 
probability distribution p{K) on K, which would deter- 
mine the above quantities and whatever other measure 
one may employ. The significant point and a main diffi- 
culty is that no single number, be it He,Pi or 8e, could 
capture the full security picture in physical key genera- 
tion with even just one probability distribution p{K) for 
Eve. 

For raw security, many PRNG including those given 
just by a (maximum length) linear feedback shift regis- 
trar (LFSR) with perfect seedkey K m has the following 
behavior [15], 

P1 (K')=2-^, P1 (K')=2-^ (2) 

where K' is a subsequence of K' up to \K m \ consecutive 
bits. This is very favorable compared to the K that can 
be generated by QKD as will be seen in the next para- 
graph. However, such K' has no IT composition security. 
Specifically, if K' is used in "one-time pad" form, i.e., the 
PRNG is used as an additive stream cipher with K' as 
running key, then a KPA with \K m \ known consecutive 
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data bits would lead to a unique determination of K m 
for the usual nondegenerate ciphers including LFSRs in 
their common cipher configurations. The knowledge of 
K m would then allow the complete determination of K' 
[14]- [15]. The situation is similar when K p is used in a 
conventional symmetric-key block cipher such as AES. 

For K obtained from QKD, the most commonly used 
criterion for raw security is Ie/\K\ = 1 — He(K)/\K\, 
Eve's information per bit on K from her attack. Under 
the quantitative security Ie/\K\ < 2~ l , it was shown 
[9, section IIIB] the possibility is not ruled out that Eve 
may obtain a correct estimate of K and m-bits subsets 
K of K with probabilities, for I < \K\, 

Pl (K)~2- 1 , Pl (K>)~?-2- 1 (3) 

Such possibility arises because the bits in K are not sta- 
tistically independent to Eve. In BB84 they have been 
correlated from error correction and privacy amplifica- 
tion as well as from Eve's joint attack. For concrete pro- 
tocols that can be experimentally developed thus far [16], 
I ~ 10 for \K\ > 10 3 which means a disastrous breach of 
security with pi(K) ~ 1CT 3 is not ruled out. In any 
event, even Z ~ 50 is rather unfavorable compared to (2) 
where \K m \ > 100 is typical in most conventional ciphers. 

Another useful criterion is the statistical distance 
5 E (K) between p(K) and U. For S E (K) = 2~ l with 
I < \K\, the possibility remains that [9, App. B] 

Pi{K)~v\ Pl {K)~2~ l (4) 

It should be noted that a sufficiently small p\ (K) guaran- 
tee is evidently necessary for meaningful security guar- 
antee, see Section IV. It is apparent from (3)- (4) that 
according to the criterion I E /\K\ < e and Se < e, K 
is only nearly uniform when e = 2~ X \ K \ with A ~ 1, a 
condition that appears impossible to achieve by a real- 
istic protocol with a significant key generation rate. For 
the criterion Ie/\K\, QKD does much better than PRNG 
which is responsible for the better composition security 
of K as will be shown in this paper. 

On the composition security of K it has been shown 
[12] that when Eve retains her probe, for Ie/\K\ ~ 2 _z 
it may be possible for her to tell the (I + l)th bit of K 
knowing I of them from, say, a KPA on the of use of K 
as one-time pad. To overcome this problem, the use of a 
different criterion d, 

d=^\\p KE - p v ® p E \\i<e (5) 

was suggested and developed [11], [17]. The claim is that 
under (5) the users would get a perfect key K with prob- 
ability at least 1 — e. This is an incorrect interpretation 
of (5) as has been mentioned [9, App. B]. Given this pre- 
vailing misconception we will give a detailed discussion 
in section IIIC and bring out the point instead that p{K) 
is actually never given by U for d = e > and that d < e 
has no clear raw or composition security significance. In 



any event, theoretical estimates [18]- [19] give e = 10 5 
for various large \K\, corresponding at best to (4) with 
2 ~ 17. 

As will be detailed in the paper, the following prob- 
lem situation obtains on the security guarantee of the 
generated key K in concrete QKD protocols: 

(i) The raw security of K is worse than that of a LFSR 
for the probabilities p\ (K) of identify the whole K 
by an attacker and p\ (K) for many smaller subsets 
K ofK. 

(ii) There is no composition security guarantee for K; 
an exponential decrease of the accessible informa- 
tion may only lead to a linear decrease of the num- 
ber of compromised key bits while the situation is 
unknown for Se or d. 

In the following we will flesh out these points and dis- 
cuss their implications on the development of physical 
cryptography. In section II we will discuss the raw se- 
curity of the generated key K. In section III the com- 
position security of K will be treated which shows the 
lack of such guarantee thus far for both specific attack 
scenarios and in general. In Section IV we discuss the 
relevance of rigorous security proofs and the importance 
of actual numerical values. Some suggestions on possible 
future development of physical cryptography is outlined 
in section V. 



II. RAW SECURITY OF THE GENERATED KEY 

We will first review the raw security of a running key 
K' generated from a master key in standard cryptogra- 
phy for later comparison with the key generated from 
QKD. Recall that by the raw security of K we mean the 
quantitative security level of K against attacks during the 
key generation process without any additional informa- 
tion that Eve may obtain during its actual cryptographic 
use. For a key obtained from public-key technique such 
as RSA, there is no IT security at all since the key can 
be determined by Eve if she has sufficient computational 
power. Thus, we would not further discuss public-key 
schemes in this paper which deals only with IT security. 
For the usual symmetric-key ciphers there is IT security 
for K' and it is better than that of concrete realistic QKD 
schemes. As we shall see, this arises as a result of the de- 
tailed quantitative behavior of the security measures that 
have been adopted to describe the quantitative security. 
We will begin with a discussion of the security measures. 

HA. Security Criterion and Security Parameter 

The attacker's optimal probabilities p\{K) of correctly 
estimating K, any subset of K, constitute the opera- 
tionally meaningful criterion on the security oi K . In 
conventional cryptography the closeness of P i(K) with 
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Pi(K p ) for all K is called semantic security [20], whether 
polynomial complexity is included [21] on an attack algo- 
rithm or not [22]. A security parameter e may be intro- 
duced to measure the deviation of such semantic security 
from a perfect key K p , e = corresponding to the perfect 
case. 

Such semantic security guarantee is difficult to obtain 
and to prove. Simpler criterion is often employed in- 
stead. However, theoretical constructs such as the at- 
tacker's mutual information Ie{K) on K has no opera- 
tional meaning by itself. In the context of communica- 
tions, these information theoretic quantities derive their 
empirical significance via the Shannon Coding Theorems 
through which they are related to operational quantities 
[23]. In the context of cryptography, operational signifi- 
cance could only be obtained from the security guarantee 
on the various p\ (K) implied by such single- number cri- 
terion. This is what we would spell out in this paper for 
the common criteria Ie(K)/\K\ and Se- 



IIB. Conventional Key Expansion Raw IT Security 

Consider the running key K' generated from a PRNG 
with master key K m , with number of bits \K'\ > \K m \. 
Segments of \K'\ could be used as session keys in dif- 
ferent applications. It can also be used as a running 
key, i.e., in one-time pad form as an additive stream ci- 
pher. Let X n be the n-bit data random variable, we use 
lower case x„ to denote a specific n-sequence from X n . 
An additive stream cipher would have output Y n with 
y n = x n © k n , where k„ is a specific value of the n-bit 
K' n . (We add the subscript n on occasion for clarity.) 
The general Shannon limit for a standard cipher is given 
by (1). It holds for any cipher that satisfies unique de- 
cryption H(X n \Y n , K m ) = 0, thus covers also 'random 
ciphers' with randomized encryption [13]-[14]. 

To derive (1) the so-called Kerckhoff 's assumption [14] 
is sometimes invoked which says Eve knows everything 
about the cipher except the seedkey K m . Such an as- 
sumption is not actually needed so long as all the in- 
formation Alice and Bob need to share but which Eve 
does not have can be quantified by a proper key K m . 
The ciphertext Y n is also assumed to be available to Eve, 
evidently a most common situation in reality. 

We will discuss several quantitative criteria of secu- 
rity. First Eve has only one probability distribution on 
the possible K' n for nonrandom nondegenerate ciphers. 
All standard ciphers are nonrandom, i.e., one for which 
the ciphertext y„ is uniquely determined by x„ and the 
specific k m used. From her knowledge on the structure 
of a nonrandom cipher Eve could generate the at most 
2l- ft - m l possible sequences of K' n for any n and determine 
its probability distribution. For p(K m ) = U , each of 
these K' n - sequence would have the same probability 
2~\ Km \ under the normal nondegeneracy assumption of 
exactly 2^ K I number of K' sequences. The case of ran- 
dom ciphers is covered in section IIC that treats classical 



noise and QKD generated keys. 

From p(K' n ) one can determine Eve's maximum prob- 
ability pi(K' n ) of getting the whole K' n correctly, which 
is just 2~l Km l in the above typical situation. From (1) 
Eve's mutual information per bit on K' n is at least 

I E (K)/n>l-H(K™)/n (6) 

The 5E(K' n ) is also large for typical n \K m \ similar to 
lE{K' n ) /n. For a maximum length LFSR or more gen- 
erally nondegenerate ciphers, the probability of various 
consecutive subsequences K' of K' n with \K^\ < \K m \ is 
given by pi(K') = 2~\ K I since such K' is uniformly dis- 
tributed. Thus we have arrived at (2) in section I. How- 
ever, different subsequences of K 1 are correlated through 
K m and no overall joint probability on any subset of K' 
can be smaller than 2 _ l ifm l. 

It is clear from this description what the mechanism of 
the Shannon limit (1) is: however long X n is for n > \K m \ 
, from Y n there are at most 2^ K ' possible X n sequences 
from x„ = y„©k„ or any injective encryption map. Such 
a cipher is considered adequate in standard cryptogra- 
phy for the protection of long data X n although it is far 
from semantically secure, perhaps partly because there 
is no alternative that does better information theoreti- 
cally than what the key size \K m \ allows which is always 
far less than n = \X n \ . Perhaps it is partly due to (2), 
and partly due to the practical complexity of p(K') eval- 
uation of more general subsets K' . But see [20, section 
5.5.3]. 

IIC. QKD Key Raw Security 

The case of classical noise key generation will be de- 
scribed first. In such cryptosystem where noise is in- 
volved including randomized encryption systems, there is 
no longer a fixed observation random variable for Eve 
in contrast to the case of the previous section on standard 
ciphers. In any key generation scheme, the user Alice 
picks a random bit sequence Z n i of length n 1 and trans- 
mits it to Bob via modulated physical channel inputs, 
who could extract an error free (with high probability) 
bit sequence W n » of length n" < n' from his observation. 
For example, this can be done with an openly known er- 
ror correcting code (ECC) so that both Alice and Bob 
know what W n " is. Then a "privacy amplification" (PA) 
function /pa is applied by both to obtain the n bit gen- 
erated key K n = fpk(W n "(Z n i)), n < n" . One can com- 
bine the ECC and PA, to write K n = F(Z n >) for an 
openly known function F. Eve learns about K n through 
an attack with some observed random variable Y®, that 
depends on Z n i via p(Yj^ \Z n <) , her probability of getting 
various y^ given the possible z„>. With p(Z n r) = U and 
the known ECC and PA, Eve then obtains p{K n \Y®), to 
be called Eve's conditional probability distribution (CPD) 
on her estimate of K n . Note that a single number secu- 
rity criterion is just a constraint on Eve's possible CPD. 
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The generation rate r is usually taken to be r = n/n' , 
which is further reduced in BB84 from basis matching. 

There is typically one complete Y^, that Eve may ob- 
serve in classical-noise key generation and Y®, can be 
drawn from a continuous alphabet, for example when 
p(Y^\Z n i) is given by that of an additive noise channel. 
On the other hand, in QKD and KCQ different incom- 
patible p(Y^) may be obtained from different incompat- 
ible quantum measurements, i.e., p(Y^) depends on the 
specific attack. In all cases the conditioning on differ- 
ent possible observations y% in p(K n \Y^) is an added 
complication that docs not exist in standard ciphers. 
We first assume that y% is fixed and order the result- 
ing p (k„|y£) = pi for i G {1, . . . , N — 2 n } = T~~N, 

Pi > P2 ■ ■ ■ > PN- 

The most common quantitative security criterion in 
classical-noise and QKD key generation is that Eve's mu- 
tual information per bit lE{K n )/n must be small, which 
cannot be satisfied in standard cipher key expansion from 
(6). The question is: how small is small enough for 
what security? Note that this question does not arise 
for the fresh keys in standard cryptography where the 
IT security can be presumed perfect. It is clear that 
Eve's maximum probability of getting the whole key 
K n must be sufficiently small. With the distribution 
Pi,P2 = ■■■ = Pn = (1 —pi)/(N — 1), it has been shown 
that [9, Section IIIB ] 



Theorem 1 
For I E /n<2 
Pi>2"' 



l 

n2™ ' 



there are CPD that give 



Furthermore, there are CPD [9] that gives p(K m ) ~ ^Pi 
when pi » 1/N for m-bit subsets K m of K, m < n. 
Together these give the quantitative results (3), which 
gives the operational significance of a Ie/ti guarantee. 

In many QKD security proofs Eve's possible Ie/ti is 
bounded for any possible attack she may launch. What- 
ever one's notion of "secure enough" may be in a realistic 
application, the experimental results thus far [16] that 
yields at best I ~ 10 for n > 1,000 is very inadequate 
as a security guarantee, because it does not rule out the 
large chance 10~ 3 of identifying the whole 1, 000 bit key 
with high probability. See section IVA for a discussion 
on the role of security proof in this connection. Thus, 
bounding Ie/ti insufficiently just leaves open the possi- 
bility of a disastrous breach of security. This situation 
cannot be expected to improve significantly in concrete 
realistic protocols because from Theorem 1, decreasing 
the security parameter I E /n exponentially only leads to 
linear increase in the effective number of random bits 
given by I. In this connection, it may be observed that it 
is misleading to consider "exponentially small" as quan- 
titatively adequate in key generation. See section IV. 

In the above p\ for a given CPD we have suppressed 
the y^, dependence. The common criteria I E /n and 5e 
are averages over all possible y^, for any given attack. 
As guarantee for each y^, , the Markov inequality [24] for 



a negative-valued random variable X would need to be 
employed, 



Pr[X > e] < E[X]/e 



(7) 



where E[X] is the average value of X. Generally this 
would lead to the more stringent requirement from an 
E[X] < e to E[X] < e 2 to guarantee X < e with prob- 
ability > 1 — e, the latter probability requirement is es- 
pecially appropriate when X is essentially a probability 
itself. Thus, by taking I E /n ~ pi from (2) the actual full 
guarantee would reduce the exponent I by |, making it so 
much more difficult to achieve a good value in practice. 

The criterion of statistical distance (Xi-distance, vari- 
ational distance, Kolmogorov distance) S E = S(P, U) be- 
tween Eve's CPD P = {pi} and the uniform U can be 
used, 



1 N 

s(p,u)=-y: 



i=l 



P *-N 



(8) 



It is a direct consequence of the definition (8) that [24, 
p.299] 



Se < e 



p(K m ) < e + 



2 m 



(9) 



where K m is any m-bit subset of K n . As a numerical 
measure, Se suffers exactly the samepi problem as I E /n. 
From the same distribution that gives Theorem 1 for p\ = 
2~ l , one obtains [9, App B], 



Theorem 2: 

For S E = 2~ l , there are CPD that give Pl = 2~ l 



+ 



N ■ 



Similar constructions give (9) with < replaced by =, 
thus yielding (4) above. Note that (9) gives the oper- 
ational significance of a Se guarantee. From Theorems 
1 and 2 it follows that K is only nearly uniform when 
I ~ \K\. It appears there is no experimental protocol that 
has been quantified with Se or d. Theoretical estimates 
thus far concentrate on e = 10~ 5 for d < e with various 
large n [18]- [19]. Even without using (7) for individual 
guarantee such p\ is inadequate for many purposes. In 
particular, it is questionable to say a 10 5 bit key K has 
IT security with just I ~ 17 as compared to the I ~ 10 5 
for a really perfect key. 

The raw security significance of d < e is unknown as 
shown in the next subsection. Thus, while QKD may in 
principle provide better p\{K) guarantee than conven- 
tional key expansion it is much worse in practice and 
unlikely to significantly improve. This is because it is 
difficult to capture the possible probability distribution 
behavior with a mere single parameter value. A good p\ 
guarantee, by itself or through Ie/ti or Se, is inadequate 
unless pi = 2~ l with I ~ n. This exponential-linear prob- 
lem appears to be a major quantitative stumbling block 
to physical cryptography. 
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III. composition security of the generated key 

In this section we will show that composition secu- 
rity has not been guaranteed at all in QKD under Ie /n 
or Se and their quantum counterparts. Recall that by 
the composition security of K we mean its quantitative 
security level against attacks that utilize information ob- 
tained both during the key generation process and during 
the actual cryptogaphic use of K. We will discuss only a 
specific composition security scenario of partial key leak- 
age (PKL) — whether it is possible for Eve to predict a 
future bit exactly if part of K is known to her. 



IIIA. Conventional Cipher Composition Security 

We first review the case of a standard nonrandom ci- 
pher, for which the raw security of K' was discussed in 
section IIB. For an additive stream cipher y n = x„ © k„ 
where k„ is a specific value of K' n with distribution p(K') 
on 1 — N, Eve would learn m bits of k„ from a KPA 
where she knows m < n bits of x„ and the openly ob- 
served value of y n . From these m bits of k„ Eve could 
try to determine the seedkcy K m to whatever degree pos- 
sible and with such knowledge on K m she could then get 
information on the other n — m bits in x„ through y n . 
Such KPA can often be launched in real world situations. 
It is convenient to assume the m known bits of x„ are 
its first m bits. For the situation where Eve knows noth- 
ing about x„, i.e., p(X n ) = U, the key K' and hence 
K m is totally hidden from observation of Y n alone since 
p(k„|y„) becomes a memoryless binary symmetric chan- 
nel with crossover probability 1/2. That does not mean, 
of course, that the security of X n is good enough as sec- 
tion IIB shows how it is limited by (1). It is possible that 
Eve knows something about X n so that to her p(X n ) ^ U 
but she does not know any bit in x„ for sure. We will 
not discuss such scenario of "statistical attack" [13], [14] 
in this paper and focus on just KPA. 

For nondcgeneratc nonrandom ciphers [13], [14] 
there is a one- to-one m apping between K m and 
{{X m , ,Y m ,)\m! G 1 - |if m |}, the pairs of \K m \ consecu- 
tive data bits in X n and the corresponding output bits in 
Y n . This includes block ciphers and their stream cipher 
modes of operation. Thus, in a KPA with m = \K™\ 
the key K m can be uniquely determined and the rest 
n — m bits in X n arc totally compromised information 
theoretically. This is the situation in conventional 
symmetric-key ciphers such as AES where security 
depends exclusively on the complexity of finding K m 
from {(X m i, Y m i)}. Indeed, such weak composition 
security is a manifestation of the weak I E /n raw security 
from the Shannon Limit (6). As will be seen in the next 
subsection IIIB, it is removed (classically) by a strong 
IT guarantee on the raw security. Thus, the composition 
security situation of classical key expansion is similar to 
both the raw and composition security of asymmetrical 
key ciphers such as RSA whose security depends on the 



complexity of factoring large integers. 

Generally, we have the PKL problem of the extent to 
which knowledge on one part of the key K would reveal 
about another part, all through the probability distribu- 
tion p{K) itself without any further information as in the 
case of the above KPA. This problem does not exist for 
a key K with p{K) — U, not to mention a perfect key 
K p . The security against PKL cannot be guaranteed by 
pi alone, but it was thought that "exponentially small" 
I E /n and Se would be sufficient even in the context of 
QKD with Eve holding onto her probe with quantum 
memory. In the rest of this section III we will show that is 
the case in a purely classical situation but the presence of 
quantum effect, while allowing key generation with small 
I E /n and 5e, also takes away the composition security 
guarantee that obtains in a purely classical scenario. 

Before proceeding, it may be mentioned that the pos- 
sibility of IT security on the key against KPA is not ruled 
out for degenerate ciphers, meaningful versions of which 
can be developed for classical ciphers with randomized 
encryption [13]. That is the subject for future detailed 
treatment. 



Ill B. Composition Security Under Ie and 8e 

In this subsection we develop the composition secu- 
rity significance of an Ie and an S E guarantee on a key 
K with distribution p{K) to Eve. This applies to any 
classical protocol directly and also to a quantum proto- 
col through reduction of the quantum security criterion 
guarantee. The quantum case would be handled in the 
next subsection. 

For a symmetric-key conventional cipher such as AES 
under KPA or statistical attack, Eve would obtain in gen- 
eral information on p(K) distributed through the whole 
K. We consider the specific case where an m-bit subse- 
quence K m of an n-bit K is known exactly to Eve, for 
example obtained from an m-bit KPA for K used as one- 
time pad, and ask whether any other bit in K would be 
revealed with a significant probability from such knowl- 
edge. It is clear that a pi{K) guarantee does nothing 
for this problem unless it is very close to 2~ n , because 
it applies to just one x„ and it says little about corre- 
lations among the n bits of K which is the matter of 
concern here. On the other hand, since Ie and Se are 
themselves already constraints on the whole p{K), it may 
be expected a sufficiently small value would lead to good 
composition security in this case. The question is how 
small. 

The following result shows that a linear leak of infor- 
mation is possible under Ie in the absence of any quan- 
tum effect. 

Theorem 3: 

With I E jn = e for any < e < 1 there are p(K ) for 
which Eve knows one additional bit from knowing \l/e] 
number of them in an n-bit K. Equivalently, for such 
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p(K) a fraction e of the bits of K can be determined 
from the rest of K. 

The proof can be obtained from the following simple 
construction. Let P(k n ) = P(k\, k n ) = 2~ n for n 
bits of an (n + l)-bit K, and let k n+ i = /(k„) where / 
is a known deterministic Boolean function of k„. Then 
P(k„+i) = P(fc„+i|k„)P(k„) = 2"™ from which it fol- 
lows that Ie/(ti + 1) = l/(n + 1). Either by extension 
to m > 1 other bits determined by k„ or by forming a 
product distribution, the theorem follows. 

Thus under a KPA with Ie/ti < 2~ l , one bit may be 
leaked for every 2 l known bits. This is perhaps tolera- 
ble in some applications when I > 10, although there is 
still the issue of the distribution of such leaked bits in 
K. Unfortunately, the quantum situation is much worse 
as discussed in subsection IIIC with respect to the corre- 
sponding accessible information. 

The situation for Se is much more favorable than Ie- 
It is easy to show by simple counting that no determin- 
istic bit of K can be leaked this way when Se < 1/2. It 
can be shown that for Se < e Eve could not achieve even 
a probability of knowing a bit better than e + 1/2 com- 
pared to 1/2 from pure guessing. We will not dwell on 
the composition security of a Se classical guarantee with 
no quantum probe that has been held in quantum mem- 
ory, as it appears entirely adequate. On the other hand, 
as will be discussed in the next subsection IIIC there is 
no known guarantee in the case when quantum memory 
is available for a related quantum criterion d. A contrary 
claim has been repeatedly made in the literature [25] in- 
cluding a recent broad review of QKD security [5]. The 
error in such a claim can be traced to an incorrect infer- 
ence on the meaning of the classical statistical distance 
to be presently discussed. 

It was suggested that between two distributions P, Q 
for two random variables X and X' over the same range 
X of N elements, the statistical distance 

5(P,Q) = ±£;|P(x)-Q(x)| (10) 

"can be interpreted as the probability that two random 
experiments described by P and Q respectively, are dif- 
ferent" [1 1],[1 7] , an interpretation repeated in refs. [12], 
[28]. The justification for the interpretation is given by 
lemma 1 in refs [11], [28] which states that for any two 
distributions P and Q for X and X 1 there exists a joint 
distribution Pxx' that gives P, Q as marginals with 

Pr[X^X']=S(P,Q). (11) 

However, to the extent it makes sense to talk about such a 
joint distribution, the interpretation would obtain only if 
"there exists" is replaced by "for every" . This is because 
since there is no knowledge on such joint distribution, one 
cannot assume the most favorable case via "there exists" 
for security guarantee or for general interpretation. In- 
deed, it is not clear at all what realistic meaning can be 



given or claimed for the realization of such a joint distri- 
bution, other than the independent case Pxx 1 = P • Q- 
This independent case is the appropriate one to consider 
since one is just comparing two distributions P and Q 
with 8(P, Q). In such case, even if both P and Q are the 
same uniform distribution so that 8(P, Q) = 0, we have 
Pr[X ^ X'] = 1 — and the two sides of (11) are almost 
as far apart as it could be since both must be between 
and 1. This is also a counter-example to the interpreta- 
tion. As a matter of fact, whether (11) holds is irrelevant 
to how close P and Q are according to S(P, Q). 

Furthermore, instead of (11) the following equation 
(12) is a consequence of the interpretation, 

P(x) = (1 - e)Q(x) + eP'(x) (12) 

where P' is a probability distribution on x- Indeed (12) 
may be taken as the mathematical representation of the 
interpretation, apart from possible "partition ensemble 
fallacy" which we would not discuss since there is no 
need. However, (12) cannot be true when 5{P,Q) = e 
because that occurs if and only if S(P', Q) = 1 which in 
turn holds if and only if P' and Q are never both nonzero 
on the same x. The latter never occurs when \ is taken 
to be the common range of P and Q as indicated. Thus, 
not only the interpretation is not proven, it has nothing 
to do with (11) and cannot even be true. One can also 
see this from the immediate fact that P ^ Q for sure 
whenever S(P, Q) = e > 0. 

IIIC. Composition Security in QKD and the 
Criterion d 

In the quantum case Holevo's bound is often used to 
bound the accessible information Ie Eve may obtain via 
some quantum measurement in the key generation pro- 
cess. In the presence of enduring quantum memory, how- 
ever, Eve may utilize the bit knowledge she obtained on 
parts of K via KPA in conjunction with the quantum 
probe still in her possession to get at the rest of K . In 
this quantum case there is the additional issue of lock- 
able information [12], that a random variable side in- 
formation S may reveal to Eve more than H(S) bits of 
information on K which is impossible classically. With- 
out the quantum probe there would be at most H(S) 
bits of classical information which is already reflected in 
He(K) for the PKL problem. In [29], it was suggested 
that if Eve's optimal mutual information on K from a 
quantum measurement, called the accessible information 
7a CC , is exponentially small in n for large n, then the n-bit 
K is composition secure according to their quantitative 
definition. While the mathematical result in [29] is cor- 
rect, it was pointed out in [12] via a counter-example 
with one-time pad use of K that the result does not have 
the interpretation given in [29] to guarantee their com- 
position security. In particular, it was shown that for 
Ie/ti ~ 2~ l , each I bits of knowledge on K may yield 
another bit. For Ie/ti < e the fraction of bit leakage 
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may thus go up from e to log-, an exponential increase 
from the case where no quantum memory is available. 
For I = 10, the possible leak thus increases from 0.1% to 
10%. 

The following remedy was suggested [11], [17] by using 
the criterion (5). Let p\ be the state in Eve's possession 
conditioned on a generated key value k, and let 

/^T^El k >< k l ( 13 ) 
1 1 k 

be the completely mixed uniform state on the | | = 2" 
orthonormal k)'s. It is assumed that the a priori prob- 
ability of K to Eve before she measures on her probe is 
uniform. Then the security criterion d is the trace dis- 
tance 

d= ^ || PRE -PU®PE ||l (14) 

where 

/^ = rj^Ei k x k i®^ as) 

1 1 k 

and 

1 1 k 

The trace distance \\p — <t||i between two states is related 
to the classical statistical distance 8(P, Q) between two 
probability distributions as follows [11]. For any POVM 
or von Neumann measurement made on p and a with 
resulting distribution P and Q, 

||p - *t||i < e 6(P,Q)<e (17) 

Using (17) and (11) it is concluded [11, p. 414], [17, 
Prop 2.1.1] that when d < e the key is e-secure: with 
probability p > 1 — e the real and the ideal situation of 
perfect security can be considered identical, where the 
ideal situation is one where K is replaced by a uniformly 
distributed random variable U which is independent of 
p\. This statement is repeatedly made [25] and provides 
the following two very desirable consequences to supply 
both raw and composition security significance. Under 
d < e, with probability p > 1 — e the key K is universally 
composable (or at least so for partial key leakage) and 
it is the same as the uniform U to Eve for the raw se- 
curity apart from composition. Note that similar to the 
invalidity of (12), d = e docs not imply 

Pke = (1 - e)pu ® Pe + eo~KE (18) 

for some joint density operator oke- Equation (18) may 
lend itself to the above incorrect interpretation. Specific 
counter examples and further discussion of (18) can be 
found in ref [30]. 



To see how (5) does not give an e-secure key and how 
5e enters, we now trace the steps of the above incorrect 
derivation [11]. Let Py = P(y|k) be Eve's probability 
distribution on her measurement result y conditioned on 
an actual generated k, i.e., through p\, with Py = P(y) 
the distribution obtained through pe- For d < e, (17) and 
(14) imply, with Eve's a priori distribution on k given by 
U, 

5(P$U k ,P y U k )<e (19) 

Under the incorrect interpretation, this implies Py = Py 
independent of k with probability > 1 — e, thus Eve's 
corresponding CPD P(k|y) is equal to U also with prob- 
ability > 1 — e. Not only this conclusion does not follow 
unless (11) is true, one can see that P(k|y) ^ U for sure 
as long as p\ or Py carries any k-dependence, i.e., when 

there exists ki ^ k 2 with Py 1 ^ Py 2 for a given y. This 

is because Py then depends on k and thus Eve cannot 
have U as her CPD for the given y. 

To derive the raw security meaning of d < e, we first 
observe that since Bob and Eve perform their "local" 
operations separately, the criterion d is exactly equivalent 
to 

d = E k [\\p E -p E \\ 1 ] (20) 

and (5) is just a condition on the p\. With E^. the 
average over the 2™ possible values of K, equality of the 
right hand sides of (14) and (20) follows from lemma 2 of 
ref. [11] directly. The right-hand side of (20) is actually 
one of the criteria proposed in [29]. 

Apart from an increase in e from a Markov inequality 
guarantee for individual k, (20) implies 

\\Pe-Pe\\i <e (21) 

From (21), (17), and (10) it follows that given n'-bit yf,, 
Eve's CPD P(k|y) satisfies 

\P(k\y)-U k \ <e-U k /P y . (22) 

The best guarantee from (22) on the smallest P(k|y) 
over all possible n'-bit y n , is Py , = Uy ,, i.e., the min- 
imax of Py over y and Py is obtained by Py = Uy. Ex- 
actly similar results are obtained for subsequences y m i 
of y n , corresponding to (9). Thus, (22) would reduce to 
S(P,U) — 8e < e when the number of possible y's is 
N. With key sifting, error correction and privacy am- 
plification, the number of such possible y is much larger 
and so U k /Py is a very large number that would ren- 
der the guarantee (22) useless. Thus, (21)-(22) does not 
turn into a useful Se < e guarantee on Eve's CPD. This 
also means (5) implies no composition security guarantee 
through Se for the case of no quantum memory. 

An e-secure key is evidently "universally composable" 
as concluded previously. Since d < e does not imply 
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the key is e-secure, the composability problem remains 
in the presence of quantum memory. It is yet not known 
what the level of PKL leakage may be under the d < 
e guarantees, whether leakage similar to the accessible 
information case is ruled out. 

Since 5(P, Q) > implies P ^ Q for sure [31], we have 
the following situation 

(A) Under d = e, Eve's probability distribution p(K) is 
not the uniform U for sure. 

which can be compared to the following claim in the lit- 
erature [25] 

(A') Under d = e, Eve's probability distribution p{K) is 
U with probability 1 — e. 

Note the huge difference between between (A) and (A'), 
the latter is currently used to justify the IT security guar- 
antee of a QKD key. On the other hand, (A') is actually 
impossible from (A) , and the probabilistic or operational 
significance of d < e for both the quantitative raw and 
composition security are unknown. 



IV. Importance of Security Proof and Numerical 
Values 

Physical cryptography raises new conceptual issues in 
addition to the already subtle ones in both conventional 
symmetric-key and asymmetric key cryptography. In or- 
der to fully assess the significance of the above results 
for actual security guarantee, we will discuss some such 
conceptual issues in this section. 



IVA. Security Proof in Physical Cryptography 

We first observe that, in contrast to almost all prob- 
lems in physics and most in engineering, a guarantee 
of cryptographic security cannot be obtained by exper- 
iments which could show a task is well carried out but 
not something general is impossible. An experiment can 
implement a specific attack and show that it does not 
work, but one cannot implement all possible attacks. 

All proofs are based on reasoning on specific givens, 
in this case the mathematical model of the physical 
cryptosystem must be valid for the actual situation if 
the proof is to mean what it says in a real applica- 
tion. In standard or conventional cryptography where 
purely mathematical relations constitute the entire secu- 
rity mechanism, there is already a problem on the real- 
istic features of an operating cryptosystem that cannot 
be incoporated in a general mathematical representation 
and must be treated on an individual ad hoc basis, such 
as the case of the RSA timing attack. In a physical cryp- 
tosystem involving either classical noise sources or quan- 
tum effects, the actual mathematical representation is a 



major issue due to the presence of other interfering phys- 
ical effects that may play a crucial role in the actual cryp- 
tographic security. In particular, quantum information is 
an unusual area in physics where very small disturbance 
can lead to major consequence. In BB84 type QKD there 
is a serious problem of system and device modeling at the 
time of use, see, e.g., ref [32]-[35], which arises from the 
single-photon nature of the signal. In particular, a de- 
vice imperfection can entirely compromise the security 
of a BB84 protocol [34]- [35]. The issue here is not that 
the device imperfection cannot be removed, but rather 
how many such undiscovered loopholes there are in prac- 
tice. However, in this paper we do not deal with these 
issues but only with the fundamental quantitative secu- 
rity assuming the physical model is exactly correct. 

The excitement of physical cryptography and partic- 
ularly QKD is mainly derived from the belief that un- 
conditional information-theoretic security is possible for 
generating fresh keys which can be proved mathemati- 
cally given a model. This is in sharp contrast to con- 
ventional cryptography, in which asymmetric key crypto- 
system has only complexity based security the strength 
of which is further based on unproved though widely ac- 
cepted assumptions on the difficulties of various math- 
ematical problems. For symmetric-key conventional ci- 
phers against KPA, the design is even more of "an art" , 
with security based on less widely shared beliefs in the 
problem complexity of various attack algorithmss. In 
QKD, "unconditional security" means all possibilities of 
an attacker gaining more "information" than a designed 
level is ruled out except for a small probability which 
is itself a design parameter. That is, claim (a) in the 
Introduction of this paper is maintained. 

In contrast to a perfect key K p the QKD generated 
key K can never be perfect because Eve could always ob- 
tain some "information" by an attack during the physical 
key generation process. The crucial questions are then 
what operational meaning the various security criteria 
and proofs have. These questions are already subtle ones 
in conventional cryptography, see for example the dispute 
described in ref [36] on public-key systems and the com- 
plaint on lack of proper security foundation in symmetric- 
key ciphers [20] . In physical cryptography such questions 
are much more acute while similar security situation has 
not arisen previously in any real cipher. These problems 
do arise in a more restricted manner (no quantum mem- 
ory) in classical-noise key generation which, however, has 
never found publicly known actual deployment, and the 
criterion of Ie/ti was employed without any discussion 
on its adequacy in cryptographic context [l]-[3]. 

The various probabilities one can obtain from a math- 
ematical model have a clear empirical or operational 
meaning, in the same sense that probability in quan- 
tum physics or communication engineering has empirical 
meaning. However, various theoretical constructs such as 
Ie and Se do not automatically have the meaning that 
would ensure whatever security we may desire in an ap- 
plication. They are really no more than mere constraints 
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on the possible distribution p(K) Eve may obtain in an 
attack and need to be transformed into operational guar- 
antees as done in this paper. In particular, it is mislead- 
ing to claim that the system is secure if e can be made 
exponentially small in \K\, as the following shows. 

For example, for a 1,000 bit K, if Ie/ti < 2~ 20 which is 
an "exponentially small" number to many, one may thus 
claim K is "secure". From Theorem 1 it is not ruled 
out that Eve may identify K with a probability 2~ 20 . 
Since Ie/ti is obtained under average over all possible 
key values, from (7) and the surrounding discussion the 
final security guarantee then becomes: with a probability 
> 1 — 2~ 10 , Eve has Ie/ti < 2~ 10 and thus she may not be 
able to get the whole K from her measurement with prob- 
ability more than 2~ 10 . This is a weaker security guar- 
antee than the simple statement that for sure Eve could 
not get K with probability more than p\ = 2~ 10 from 
her measurement. Since \K\ — 10 3 >> 10, such guaran- 
tee clearly does not rule out with a small enough overall 
probability of a disastrous breach of security that Eve 
determines the whole K with probability 2~ 10 ~ 10~ 3 
from her measurement result alone without any further 
use context on K. Even for p\ = 2~ 100 , one may ask 
in what sense such a if is near a perfect 1,000 bit K p , 
particularly in view of all the other subset breach prob- 
abilities given in (3). 

It is the role of a security proof to rule out such disas- 
trous breach of security here it is Eve being able to 

identify if at a probability p\ ~ 10~ 3 from her measured 

result by making it very unlikely if not impossible, 

certainly not at a probability ~ 10~ 3 . Security breach 
with probability ~ 10~ 3 is only a possibility, whether 
Eve can actually do it depends on what her distribution 
p(K) is, which is obtained via her specific attack that 
gives her p{K). A QKD guarantee in terms of accessible 
information shows no Ie/ti can exceed a designed level 
e when averaged over specific k. Such guarantee leaves 
open the above possibility that cannot be further aver- 
aged out — Eve knows her p{K) which is fixed by her 
attack. Indeed, the possible large leakage from accessi- 
ble information guarantee in composition security when 
Eve has quantum memory as given in ref [12] is exactly 
the same in this regard — it shows a serious compromise 
of security is not ruled out under the security condition 
given in [29]. 

A security proof via 6.E<eorei<eis exactly of 
the same nature, and d < e is adequate only if one uses 
the mistaken interpretation (A') in subsection IIIC in- 
stead of the correct (A). Unless Ie/ti or Se is close to 
2~l x l, the QKD generated K is very far from a perfect 
K p while a security proof of d < e has uncertain quan- 
titative significance in terms of empirically meaningful 
probabilities. We will now discuss the numerical situa- 
tion further specifically. 



IVB. Actual Quantitative Guarantee 

We summarize the status of the quantitative security 
guarantee situation in Table 1. Note that d < e is not 
listed because it has no clear security significance. The 
security parameter is e and smaller e means the system 
is more secure. Recall that raw security measures the 
information Eve has just from her attack before the key 
K is used, and composition security in this case refers 
only to the fraction / of deterministic bits that Eve could 
get on K from knowing the rest of if as in a KPA. The K 
are subsequences of the n-bit K, N — 2". All the filled 
entries in the table other than "/ ~?" are worst case 
leaks except for the composition security under Ie/ti < e. 
In that case the leak of / ~ e would also occur in some 
probabalistic form other than deterministic bits of K in 
the case of no quantum memory. With quantum memory 
/ ~ log <- has not been shown to be the worst scenario. It 
is important to observe that the fraction / of bits leaked 
can be distributed in any fashion and not just uniformly 
in K. Thus, there could be a serious security breach 
even when / is very small. This shows the importance of 
semantic security. 

In current experimental scenarios the final generated 
key in a single cycle, or round of QKD after error correc- 
tion and privacy amplification, could have \K\ in thou- 
sands of bits or more. The necessary message authenti- 
cation shared secret key K a that is needed to create a 
"public channel" in BB84 type protocols has never been 
explicitly integrated into the protocol and accounted for. 
It is reasonable to assume \K a \ ~ 100 for each round 
is to be used with one of the current message authenti- 
cation code, since \K a \ > 40 is typically used for many 
such codes. Compared to the alternative use of K a as 
the seed key K m in a conventional cipher, it is clear that 
but for KPA there is little point in using a QKD gener- 
ated K from the viewpoint of security guarantee. When 
the input data can be assumed uniformly random to Eve, 
such conventional cipher K' would give better protection 
than the QKD keys that can readily be generated in the 
foreseeable future. This is evident from the fact that 
even without taking (7) into account, the best current 
Ie/ti ~ 2 _10 [16] and or d has apparently not been 
used in an actual experimental system while theoretical 
estimates give d = 10~ 5 - 2~ 17 [18]-[19]. In all these 
cases n is 10 3 or much larger. In the literature such nu- 
merical evaluation was never compared to the benchmark 
of a perfect K p . 

One main problem in this connection is that almost 
every relevant quantity is "expontentially small" here. If 
one takes that to mean 2~ A ™, < A < 1, and \K\ = 
n, it all depends on how large A is. Indeed n is not 
"asymptotic" either in a real protocol. Thus, the actual 
security depends on the precise numerical values of the 
system parameter and one cannot capture the situation 
by a vague qualitative remark. Other than p\(K) for 
identifying the whole K, under (5) for e = 2~ l any large 
subset K' of K may still be determined with a much 
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Pi(K) < e 


Ie/ti < e 
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with probability e 
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no quantum 
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TABLE I: Quantitative Security in QKD 



larger probability 2~ l than the uniform \K\ one of 2~l Ar L 
It is clear that the incorrect statement (A') in section 
IIIC is sorely needed for good security guarantee, but (A) 
shows in a strong way that (A') is forever unachievable. 

V Conclusion and Outlook 

In this paper we have seen that realistic QKD gener- 
ated keys have inadequate raw security and no compo- 
sition security guarantee. One may obtain much better 
raw security probability guarantee with conventional ci- 
phers. The perception to the contrary is due mainly to 
a mistaken interpretation of the security criterion d < e, 
which has actually no clear operational security signifi- 
cance. One may view the logical/historical development 
on the information theoretic security of the generated key 
as follows. The Shannon limit on conventional key expan- 
sion leads to very poor composition security under known 
plaintext attack. This composition security predicament 
is rectified by QKD via the mutual information criterion 
when the attacker does not possess good quantum mem- 
ory, but the problem remains when she does. At the same 
time the raw security guarantee worsens in concrete QKD 
protocols. Since Ie/ti < e ~ 2~ A '^' needs to go down ex- 
ponentially for linear bit improvement in the security of 
K, it does not appear promising to try a brute-force ex- 
perimental approach for increased security of either the 
raw or composition kind. The criterion 5e < e may be 
used in a classical noise protocol, it provides good PKL 
security but has problems simliar to Ie /n for raw secu- 
rity. It is not clear how its quantum generalization may 
be developed and what its composition security would be 
in the presence of quantum memory. In the absence of 
adequate guarantee on both raw and composition secu- 
rity, QKD would lose its main claim of merit over con- 
ventional cryptography and would reduce in practice to 
a mere "art" similar in many ways to the latter. 

What can be done about it? The following four alter- 
native routes may be suggested: 

(i) At the expense of efficiency, it may be possible to 
improve security under (3)- (4) by appropriate pri- 
vacy amplification. However, privacy amplification 
cannot improve pi [9, section HID]. Due to the small 
I that can be obtained, this does not look promis- 
ing for a real protocol to get I (near) uniform bits 
in K from pi ~ 2~ l even if possible. The effec- 



tive key generation rate would be reduced from r 
to r' = rl/n for an n-bit K. 

(ii) One may use more efficient key generation schemes 
from the KCQ approach [9] other than QKD 
with intrusion level estimation. The possibility 
of obtaining adequate security with such approach 
against all attacks can be explored. 

(iii) One may limit the security to just the more real- 
istic attacks that can be launched with foreseeable 
technology advance. This would rule out, in par- 
ticular, joint attacks that involve actual quantum 
entanglement over several or more subsystems. The 
situation may then be reduced to that of a wiretap 
channel [1] and one may genearte near-uniform K 
with a nonvanishing final key rate [37]. 

(iv) One may limit the devices Eve possesses to more 
realistic ones. In particular, this would exclude 
long and near-perfect quantum memory and help 
the composition security instantly. Devices that 
are totally free of the many limits that have been 
around for a long time may also be excluded. This 
restriction is in addition to and independent of that 
in (iii), as it concerns with device realization rather 
than unknown in-principle schematic realization al- 
though both can be brought under the general clas- 
sification of limited technology. 

Given the subtle modeling question in physical cryp- 
tography and especially in BB84 type protocols, it is not 
clear that (iii)-(iv) entail any loss of true security in a real 
world application as compared to the inadequate levels 
one may obtain in an ideal model that allows Eve all the 
physical possibilities. Note that all conventional cryp- 
tosystems are being currently deployed under equivalent 
assumptions to (iii)-(iv) on unavailable alrogithms and 
computing power, which are of a mathematical nature 
instead of physical ones. It is not clear why mathemat- 
ical presumptions are better than physical ones. One 
may argue the contrary in some situations. The clear 
advantage of physical cryptography is that it is difficult 
to launch an attack or to obtain just the "ciphertext" , in 
sharp contrast to conventional cryptosy stems. It is possi- 
ble that feature alone is enough to justify the deployment 
of physical cryptosystems in some applications. 
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